An expert in cybersecurity and digital forensics and exploits developer from Russia has publicly disclosed a zero-day vulnerability in all versions of VirtualBox 5.2.20 and earlier. VirtualBox is an open source virtualization software developed by Oracle and has been widely used, as reported by experts from the International Institute of Cyber Security.

According to the analysis of Sergey Zelenyuk, the problems of memory corruption are responsible for this zero day vulnerability, also mentions that the exploit is 100% reliable. The vulnerability affects the Intel PRO/1000 MT Desktop (82540EM) network card (E1000) if the network mode is set to Network Address translation (NAT). The problem prevails in a virtualization software-shared code base, which is available literally on all operating systems.

According to experts in digital forensics, this vulnerability is not specific to this platform or some operating system mainly because it is present in a shared code base. Zelenyuk has also shown the steps to follow to exploit vulnerability. Through the exploitation of this flaw, an attacker can evade the virtual environment of a guest computer and gain direct and easy access to the Ring 3 privilege layer, which is used to execute the encoding of most user programs with minimum privileges.

Zelenyuk discovered that the error can be exploited on those virtual machines that have been configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter only when NAT mode is enabled, while the default setting allows the system guest can access external networks. Zelenyuk explains clearly the error in his blog: “The Intel PRO/1000 MT has a zero-day vulnerability that allows an attacker with administrator privileges to operate as a guest to escape a host3 ring. The attacker can then use existing techniques to escalate privileges to ring 0 through /dev/vboxdrv.

In addition, he stated that it is important to understand the way this failure is exploited, because it is the key to understanding how context descriptors are processed before data descriptors. Zelenyuk demonstrated how the conditions needed to obtain a buffer overflow are activated, which can be exploited to evade the virtual operating system’s confinements.

The digital forensics expert used package descriptors to produce a suboverflow condition in data segments that cause the network adapter to locate package data from the network by searching the system memory. Next, Zelenyuk read the guest operating system data in a stack buffer to create an overflow condition. This led to overwriting of function pointers, which can be understood as a stack overflow condition.

Zelenyuk further explained in its technical report that the exploit depends on two overflow conditions and the vendor access to the Ring 3 level permissions, therefore, to control the host operating system, it is necessary to obtain a privilege escalation. An attacker can do that by linking another vulnerability to achieve greater privileges, which is a difficult process but certainly not impossible, according to Zelenyuk.